Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system

ABSTRACT

A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.

BACKGROUND

[0001] The present disclosure relates generally to information handlingsystems, and more particularly to a method and apparatus for detectionof malicious computer code in the form of a Trojan horse in aninformation handling system.

[0002] Trojan Horses (“Trojans”) are a particular type of maliciouscode. Malicious code is code that executes on an information handlingsystem, typically a computer, but it can also be a Personal DigitalAssistant or other information handling device, and is intended todamage the computer, alter the computer without the permission of thecomputer's user, or use the computer against the wishes of thecomputer's user. The Trojan horse is executable code that can exist inone of many forms. For example, some but not all of the forms thatTrojans can be instantiated in executable code are as one or moreprograms, threads inside other programs, plugins or shared modulesloaded by other programs, or modules loaded into operating system kernelmemory in the manner of a device driver or loadable kernel module. ATrojan is a form of malicious code that enables a person to remotelycontrol someone else's computer. The person who remotely controls thecomputer is known as the “Evil Hacker” while the person whose computeris being remotely controlled is known as the “Innocent Victim”.BackOrifice2000, SubSeven, NetBus and OptixPro are all examples ofTrojans. Trojans are sometimes referred to as “back-doors” or “hackerback-doors.”

[0003] Most Trojans have two components, the client program (TrojanClient) that is run on the Evil Hacker's computer and the server program(Trojan Server) that is run on the Innocent Victim's computer. SomeTrojans have only a Trojan Server that can be remotely controlledthrough manually entered commands rather than through the programmaticinterface of a Trojan Client.

[0004] Trojans can be used by Evil Hackers to disrupt the normaloperation of the Innocent Victim's computer, to spy on the InnocentVictim, to steal money from the Innocent Victim, or to stealintellectual property from the Innocent Victim. The Evil Hacker oftenuses the Innocent Victim's computer to perform these maliciousactivities in order to harm the organization to which the InnocentVictim belongs. Trojans can thus harm computer systems, whether or notthe particular computer systems belong to an individual, a company,organization, or government.

[0005] There are many ways to infect a computer with a Trojan includingsending the Innocent Victim the Trojan Server disguised as a validprogram, copying the Trojan Server onto the Innocent Victim's computer,or exploiting a vulnerability in the Innocent Victim's computer to placethe Trojan Server on the computer.

[0006] Several techniques exist that are effective for detecting someforms of malicious code. For example, some types of malicious code canbe detected by examining the binary code image of the running program orthe binary image of the program when it is stored on a storage device.Many malicious code programs can be identified by a unique bit or bytepattern. The unique bit or byte pattern can comprise the entire image ofthe program while it is in memory or while it is stored on disk. Thesignature can also be a bit or byte pattern that is a portion of theprogram in memory or on disk. Once the unique sequence has beenidentified, a signature can be developed to identify the sequence. Thesignature is often the bit or byte pattern itself or it is in the formof a checksum. A detection program can then search for a malicious codeprogram using the signature to identify the unique bit or byte sequence.Trojans, however, can be configured so that they have no easilyidentifiable signature. Trojans have configuration parameters thatchange the bit or byte sequences in the program and make it difficult orimpossible to provide a unique signature. There are many tools availablethat can be used to reconfigure a Trojan so that it will not have aknown signature.

[0007] Another technique used to identify malicious code examines thebehavior of a Trojan Server while the Trojan Server is loaded andinstalled on a computer. With such a technique, a loaded and installedprogram is first placed into a Sandbox. The Sandbox comprises arestricted area on the computer where the program (e.g., Trojan Server)can be examined safely. While such an approach may be effective forpreventing some Trojan infection, the approach does not however detectTrojan Servers once they are already installed on a computer. Such anapproach does not detect many Trojan Servers because Trojans do notexhibit their most characteristic behaviors while they are being loadedor installed, but rather they come alive and exhibit their maliciousbehavior after they have been loaded and installed.

[0008] Accordingly, it would be desirable to provide an improved methodfor detecting Trojans in a computer system and overcoming problems inthe art discussed above.

SUMMARY

[0009] A method for detecting malicious code on an information handlingsystem includes executing malicious code detection code on theinformation handling system. The malicious code detection code includesdetection routines. The detection routines are applied to executablecode under investigation running on the information handling systemduring the execution of the malicious code detection code. The detectionroutines assign weights to respective executable code underinvestigation in response to detections of a valid program or maliciouscode as a function of respective detection routines. Lastly, executablecode under investigation is determined a valid program or malicious codebased on scores that are determined as a function of the weightsassigned by the detection routines. Computer-readable media and aninformation handling system are also disclosed.

BRIEF DESCRIPTION OF THE DRAWINGS

[0010]FIG. 1 is a system block diagram of an information handling systemfor implementation of the method of detecting a Trojan according to oneembodiment of the present disclosure; and

[0011]FIG. 2 illustrates a detection architecture of a Trojan detectionprogram according to one embodiment of the present disclosure.

DETAILED DESCRIPTION

[0012] In FIG. 1, a system block diagram of an information handlingsystem 10 for implementing the method of detecting a Trojan according toone embodiment of the present disclosure is shown. Information handlingsystem 10 including one or more of: a central processing unit (CPU) 12,memory 14, input/output (I/O) devices, such as a display, a keyboard, amouse, and associated controllers, collectively designated by areference numeral 16, a hard disk drive 18, or other storage devices ormedia drives, such as may include a floppy disk drive, a CD-ROM drive, aDVD drive, and the like, collectively designated by a reference numeral20, or various other subsystems, such as a network interface card,wireless communication link, etc, collectively designated by a referencenumeral 22, all interconnected, for example, via one or more buses,shown collectively as a bus 24. Examples of information handling systemmay include a computer system, a personal digital assistant, a thinclient device, a thick client device, or similar information handlingdevice.

[0013] In one embodiment, information handling system (IHS) 10 isconfigured with a suitable operating system to install and runexecutable code, programs, etc., from one or more computer readablemedia 26, such as a floppy disk, CD-ROM, DVD, or the like. Informationhandling system 10 may further be configured for communicating withanother information handling system 28, for example, through a network30 via a suitable communication link or links. The operating system ofIHS 10 may also be configured to install and run programs, downloaddata, etc., via network 30. The illustrative embodiments of the presentdisclosure may be practiced over an Intranet, the Internet, virtualprivate network, or other suitable communication network.

[0014] According to one embodiment, the method of Trojan detection isimplemented in the form of computer software, the computer softwarecomprising instructions executable by the CPU of a computer system, forexample, an Innocent Victim's computer system. The instructions includesuitable program code processable by the computer system for performingthe various functions as described herein. The various functions asdiscussed herein can be programmed using programming techniques wellknown in the art.

[0015] A novel method for detecting Trojans includes a method fordetecting a server portion of a Trojan residing on a target computersystem, for example, an innocent victim computer system. Furthermore,the method identifies the server portion of the Trojan when the serverportion is executing on the target computer. As briefly discussed above,most Trojans have two components, a client program (Trojan Client) thatis run on an Evil Hacker's computer and the server program (TrojanServer) that is run on the Innocent Victim's computer.

[0016] Accordingly, the method of detecting a Trojan includes aprocedure for detecting a Trojan Server, i.e. the portion of a Trojanthat resides on the Innocent Victim's computer system. The procedure canbe embodied in a computer program, for example, a Trojan detectionprogram. The Trojan detection program detects the presence of a Trojanwhile it is executing on a computer.

[0017]FIG. 2 illustrates an architecture of a Trojan detection program40 according to an embodiment of the present disclosure. The Trojandetection program 40 includes detection routines 42 and a scoringalgorithm 44. The detection routines 42 operatively couple to theoperating system kernel 46 of the computer system under investigationvia application programming interfaces (APIs) 48. The detection routinesalso access process behavior data 50 and binary image data 60, accordingto the particular requirements of a corresponding detection routine,further as discussed below.

[0018] In one embodiment, the Trojan detection program operates asfollows. The Trojan detection program executes at any time, on anas-needed basis, a periodic basis, a random basis, another scheduledbasis, or on an event driven basis in response to a particular eventaccording to the particular requirements of a given situation. When theTrojan detection program executes, it examines the characteristics andbehaviors of all computer programs that are executing at the currenttime on the subject computer system. The Trojan detection programevaluates each computer program that is running on the computer systemunder investigation, to determine whether the running computer programis a valid program or a Trojan.

[0019] The Trojan detection program 40 contains detection routines 42,including valid program detection routines 52 and Trojan detectionroutines 54. The valid program detection routines 52 include one or moreroutines identified by v₁, v₂, v₃, . . . , v_(M) in FIG. 2. The validprogram detection routines 52 are configured to determine whether theprogram under investigation has characteristics and behaviors usuallyassociated with a valid program. The Trojan detection routines 54include one or more routines identified by t₁, t₂, t₃, . . . , t_(N) inFIG. 2. The Trojan detection routines 54 are configured to determinewhether the program under investigation has characteristics andbehaviors usually associated with a Trojan.

[0020] In one embodiment, the valid program detection routines 52 andthe Trojan detection routines 54 are configured to gather informationabout each program under investigation by examining the program itselfand by looking for information about the program in the operating system46. The detection routines 42 access information from the operatingsystem 46 using application programming interfaces (APIs) 48 to theoperating system. The API's 48 can include documented API's,undocumented API's, direct access to resources of the computer orinformation handling system such as memory or network connections, orkernel or device driver interfacing. The detection routines 42 gatherinformation from the program itself by examining one or more of a binaryimage of the program that is stored in memory, a binary image of theprogram that is stored on disk or other media, the characteristics andbehavior of the program, and any other related programs (such aslibraries used by the program under investigation), represented byreference numerals 50 and 60 in FIG. 2.

[0021] For example, a detection routine 42 can be configured to takeinto account the following. Many Trojans log keystrokes on the InnocentVictim's computer and transmit the keystroke data from the InnocentVictim's computer to the Evil Hacker's computer. In one embodiment, aTrojan detection routine 54 determines whether or not the program beingexamined is logging keystrokes. Since there are many different ways fora program to log keystrokes, one or more of the Trojan detectionroutines 54 can be configured to examine the program under investigationto determine whether the program is using any of a number of differentmechanisms for logging keystrokes.

[0022] The Trojan detection program 40 further includes a scoringalgorithm 44. The scoring algorithm calculates two scores—a validprogram score 56 and a Trojan score 58. If the result of a valid programdetection routine 52 indicates that the characteristic or behavior ofthe program being examined was that of a valid program, then a weight,W_(i), is associated with the routine and that weight contributespositively to the valid program score 56. A weight, W_(i), is assignedto each valid program detection routine, for i=1 to M, where M is thenumber of the valid program detection routine.

[0023] If the result of a Trojan detection routine 54 indicates that thecharacteristic or behavior of the program being examined was that of aTrojan, then a weight, W_(j), is associated with the routine and thatweight contributes positively to the Trojan score 58. A weight, W_(j),is assigned each Trojan detection routine, for j=1 to N, where N is thenumber of the Trojan detection routine.

[0024] According to one embodiment, the scoring algorithm 44 comprisesan algorithm that includes an algebraic formula for determining the twoscores 56 and 58. The scoring algorithm is dependent on the validprogram detection routines 52 and the weights, W_(i), associated witheach valid program detection routine, in addition to, the Trojandetection routines 54 and the weights W_(j), associated with each Trojandetection routine. The algebraic formula or equation can also be madearbitrarily complex, for example, to include associating weights to oneor more to combinations of detection routines 42.

[0025] In one embodiment, the scoring algorithm 44 includes an algebraicequation defined as a sum of weighted values. For example, the algebraicequation for the valid program detection routines can include anequation as given by:${{VALIDSCORE} = {\sum\limits_{i = 1}^{M}W_{i}}},$

[0026] where W_(i)=weight of a valid detection routine v_(i) for i=1 toM.

[0027] Similarly, the algebraic equation for the Trojan detectionroutines can include an equation as given by:${{TROJANSCORE} = {\sum\limits_{j = 1}^{N}W_{j}}},$

[0028] where W_(j)=weight of a Trojan detection routine t_(j) for j=1 toN.

[0029] In another embodiment, more complex forms of the scoringalgorithm 44 can be implemented in the form of more sophisticatedalgebraic formulae.

[0030] If a program under investigation exceeds a valid program scorethreshold, V_(thres), then it is determined that the program is a validprogram. If that program exceeds a Trojan score threshold, T_(thres),then it is determined that the program is a Trojan program. If a programis deemed to be valid using the valid algorithm, then it is sometimesremoved from consideration from additional Trojan score routines.

[0031] Executable code and/or programs under investigation may also havesome of the characteristics and behaviors of valid programs and some ofthe characteristics and behaviors of Trojans. If a program does notexceed either threshold or if a program does not have a significantdifference between the valid program score 56 and the Trojan score 58,then according to another embodiment of the present disclosure, themethod identifies the program in another category of Suspicious Programsor Anomalous Programs.

[0032] In one embodiment, the method for detecting malicious code on acomputer system includes executing a malicious code detection program onthe computer system. The malicious code detection program includesdetection routines. The malicious code detection program applies thedetection routines to programs running on the computer system during theexecution of the malicious code detection program. The detectionroutines are assigned weights that are factored by a scoring algorithmto determine a composite score based on the results of the detectionroutines and their associated weights. For example, a malicious codedetection routine has a weight associated with it, such that if themalicious code detection routine determines that a given code underinvestigation is a Trojan, then the weight is applied positively towardsthe malicious code score for the code under investigation. Lastly, themalicious code detection program determines whether one or more programsof all programs running on the computer system during operation of themalicious code detection program is a valid program or malicious code asa function of the weights assigned to the detection routines.

[0033] In another embodiment, the method is configured to detectmalicious code in the form of a Trojan horse on a computer having anoperating system. The method includes executing a malicious codedetection program on the computer. Detection routines of the maliciouscode detection program are configured to gather information aboutprograms running on the computer during execution of the malicious codedetection program. The detection routines include at least one selectedfrom the group consisting of a) examining each executable code orprogram itself and b) searching for information about each executablecode or program in the operating system. For example, examining code ora program can include examining a binary image of the same, wherever thebinary image may reside, within the IHS or in computer readable mediaaccessible to the IHS. In addition, the detection routines furtherconsist of valid program detection routines and malicious code detectionroutines.

[0034] The malicious code detection program applies the detectionroutines to the programs running on the computer. In response to adetection of a valid program or malicious code, the detection routinesassigns weights to respective programs under test as a function of arespective detection routine. Lastly, the malicious code detectionprogram determines whether a program is a valid program or maliciouscode as a function of the weights assigned by the detection routines.Determining whether the program is a valid program or malicious codeinvolves the scoring of an execution of each detection routine as afunction of a respective weight. A scoring algorithm is used to identifya program as malicious code in response to a valid score and a maliciouscode score, as discussed herein.

[0035] In yet another embodiment, the method for detecting maliciouscode on a computer system includes executing detection routines, thedetection routines having been configured to examine at least oneselected from the group consisting of characteristics and behaviors ofprograms running on the computer system. For example, the detectionroutines can be configured to access process behavior data of a programrunning on the computer system. In addition, the characteristics andbehaviors may include one or more of logging keystrokes, saving adisplay screen view, uploading files, downloading files, runningprograms, and controlling a display screen of the computer system.

[0036] Subsequent to execution of one or more of the detection routine,weights are assigned as a function of the examined characteristics andbehaviors, the assigned weights indicative of a valid program ormalicious code as a function of respective detection routines. Lastly,the method determines whether a program is malicious code as a functionof the weights assigned by the detection routines.

[0037] In the embodiment of the previous paragraph, the detectionroutines include valid program detection routines and malicious codedetection routines. The valid program detection routines are configuredto determine whether the program exhibits at least one or morecharacteristics and behaviors associated with a valid program. Themalicious code detection routines are configured to determine whetherthe program exhibits at least one or more characteristics and behaviorsassociated with malicious code.

[0038] In one embodiment, the method of detecting Trojans is carried outin the form of a computer program. The computer program is executed on adesired computer system for detecting any potential Trojans present onthe computer system. Execution of the computer program continues untilall active programs on the computer system have been tested andevaluated. Alternatively, other criteria may be established for aduration of testing with the Trojan detection program. For example,execution of the malicious code detection program can be configured tooccur in response to one or more of a random initiation and a periodicinitiation.

[0039] According to another embodiment, the Trojan detection programcomprises a small program configured for being delivered quickly, aswell as, for being executed quickly. The Trojan detection program can bedelivered to the innocent victim's computer over a network, such as aLocal Area Network (LAN), Wide Area Network (WAN), Internet, intranet,or any other global computer network 30. The Trojan detection programmay also be delivered via suitable computer readable media, such as,media 26 shown in FIG. 1.

[0040] While not stopping an infection of the computer system withTrojans, the method of the present embodiments identifies a Trojan whenexecuting on a computer system. The method of identifying a Trojan couldbe combined with other methods, for example, a method for detectinginfection, resulting in a more robust computer system malicious codeprotection implementation.

[0041] Although only a few exemplary embodiments have been described indetail above, those skilled in the art will readily appreciate that manymodifications are possible in the exemplary embodiments withoutmaterially departing from the novel teachings and advantages of theembodiments of the present disclosure. Accordingly, all suchmodifications are intended to be included within the scope of theembodiments of the present disclosure as defined in the followingclaims. In the claims, means-plus-function clauses are intended to coverthe structures described herein as performing the recited function andnot only structural equivalents, but also equivalent structures.

What is claimed is:
 1. A method for detecting malicious code on aninformation handling system, comprising: executing malicious codedetection code (MCDC) on the information handling system, the MCDCincluding detection routines; applying the detection routines toexecutable code under investigation running on the information handlingsystem during the execution of the MCDC, the detection routines beingconfigured to associate weights to respective code under investigationin response to detections of a valid program or malicious code as afunction of respective detection routines; and determining whether codeunder investigation is a valid program or malicious code as a functionof the weights associated by the detection routines.
 2. The method ofclaim 1, wherein the malicious code comprises a Trojan horse.
 3. Themethod of claim 1, wherein the detection routines include valid programdetection routines and malicious code detection routines.
 4. The methodof claim 1, wherein the information handling system includes anoperating system, further comprising: configuring the detection routinesto gather information about the executable code under investigation byat least one selected from the group consisting of examining each codeor program itself and searching for information about each respectivecode or program in the operating system.
 5. The method of claim 1,wherein determining whether the code under investigation is a validprogram or malicious code includes scoring the execution of thedetection routines as a function of the weights.
 6. The method of claim5, wherein scoring includes configuring a scoring algorithm to identifycode under investigation as malicious code in response to at least oneof a valid score and a malicious code score.
 7. A method for detectingmalicious code in the form of a Trojan horse on an information handlingsystem having an operating system, comprising: executing malicious codedetection code (MCDC) on the information handling system, the MCDCincluding detection routines configured to gather information aboutexecutable code under investigation running on the information handlingsystem during execution of the MCDC, the detection routines including atleast one selected from the group consisting of a) examining each codeor program itself and b) searching for information about each code orprogram in the operating system, the detection routines furtherconsisting of valid program detection routines and malicious codedetection routines; applying the detection routines to the executablecode under investigation running on the information handling system, thedetection routines further configured to associate weights to respectivecode under investigation in response to detections of a valid program ormalicious code as a function of a respective detection routine; anddetermining whether code under investigation is a valid program ormalicious code as a function of the weights associated by the detectionroutines, wherein determining whether the code under investigation is avalid program or malicious code includes scoring an execution of thedetection routines as a function of the weights, and wherein scoringincludes configuring a scoring algorithm to identify code underinvestigation as malicious code in response to at least one of a validscore and a malicious code score.
 8. A method for detecting maliciouscode on a information handling system, comprising: executing detectionroutines, the detection routines configured to examine at least oneselected from the group consisting of characteristics and behaviors ofexecutable code under investigation running on the computer system;assigning weights as a function of the examined characteristics andbehaviors, the assigned weights indicative of a valid program ormalicious code as a function of respective detection routines; anddetermining whether executable code under investigation is maliciouscode as a function of the weights assigned by the detection routines. 9.The method of claim 8, wherein the detection routines include validprogram detection routines and malicious code detection routines. 10.The method of claim 8, wherein the valid program detection routines areconfigured to determine whether the executable code under investigationexhibits at least one or more characteristics and behaviors associatedwith a valid program; and wherein the malicious code detection routinesare configured to determine whether he executable code underinvestigation exhibits at least one or more characteristics andbehaviors associated with malicious code.
 11. The method of claim 8,wherein determining whether the executable code under investigation ismalicious code includes scoring the execution of the detection routinesas a function of the weights.
 12. The method of claim 11, whereinscoring includes using of a scoring algorithm configured to identifyexecutable code as malicious code in response to at least one of a validscore and a malicious code score.
 13. The method of claim 12, whereinthe scoring algorithm determines a valid program by a summation ofweights of the valid program detection routines being greater than avalid program weight threshold, and a malicious code by a summation ofweights of the malicious code detection routine having a summed valuegreater than a malicious code weight threshold.
 14. The method of claim13, wherein the scoring algorithm further determines an anomalousprogram by the summation of weights of the valid program detectionroutines and the summation of weights of the malicious code detectionroutines both having sums greater than respective thresholds, or lessthan the respective thresholds.
 15. The method of claim 8, furthercomprising: operatively coupling the detection routines to an operatingsystem kernel of the information handling system via applicationprogramming interfaces (APIs).
 16. The method of claim 8, wherein thedetection routines are further configured to access process behaviordata of executable code under investigation running on the informationhandling system.
 17. The method of claim 8, wherein the characteristicsand behaviors include at least one selected from the group consisting oflogging keystrokes, saving a display screen view, uploading files,downloading files, running programs, and controlling the display screen.18. The method of claim 8, wherein the detection routines accessinformation about the executable code under investigation running on theinformation handling system from an operating system of the informationhandling system via Application Programming Interfaces (APIs), and thedetection routines further gather information from executable code or aprogram itself by examining a binary image of the executable code orprogram, the characteristics and behavior of the executable code orprogram, and any other related code or programs used by the executablecode under investigation.
 19. The method of claim 8, further comprising:delivering malicious code detection code (MCDC) containing the detectionroutines to the information handling system in a small compact codemodule via one selected from the group consisting of a computer network,Internet, intranet, extranet, modem line, and prepackaged computerreadable storage media.
 20. The method of claim 8, wherein execution ofthe MCDC occurs in response to one selected from the group consisting ofa random initiation, an event driven initiation, and a periodicinitiation.
 21. A computer program stored on computer-readable media fordetecting malicious code in the form of a Trojan horse on an informationhandling system having an operating system, the computer programincluding instructions processable by the information handing system forcausing the information handling system to: execute malicious codedetection code (MCDC) on the information handling system, the MCDCincluding detection routines configured to gather information aboutexecutable code under investigation running on the computer duringexecution of the MCDC, the detection routines including at least oneselected from the group consisting of a) examining each executable codeor program itself and b) searching for information about each respectiveexecutable code or program in the operating system, the detectionroutines consisting of at least one of valid program detection routinesand malicious code detection routines; apply the detection routines tothe executable code under investigation running on the informationhandling system, the detection routines being further configured toassociate weights to respective code under investigation in response todetections of a valid program or malicious code as a function of arespective detection routine; and determine whether code underinvestigation is a valid program or malicious code as a function of theweights associated by the detection routines, wherein determiningwhether the code under investigation is a valid program or maliciouscode includes scoring an execution of the detection routines as afunction of the weights, wherein scoring includes configuring a scoringalgorithm to identify code under investigation as malicious code inresponse to at least one of a valid score and a malicious code score.22. A computer program stored on computer-readable media for detectingmalicious code on an information handling system, the computer programincluding instructions processable by the information handling systemfor causing the information handling system to: execute detectionroutines, the detection routines configured to examine at least oneselected from the group consisting of characteristics and behaviors ofexecutable code under investigation running on the computer system;assign weights as a function of the examined characteristics andbehaviors, the assigned weights indicative of a valid program ormalicious code as a function of respective detection routines; anddetermine whether executable code under investigation is malicious codeas a function of the assigned weights.
 23. The computer program of claim22, wherein the detection routines include valid program detectionroutines and malicious code detection routines.
 24. The computer programof claim 22, wherein the valid program detection routines are configuredto determine whether the executable code under investigation exhibits atleast one or more characteristics and behaviors associated with a validprogram; and wherein the malicious code detection routines areconfigured to determine whether the executable code under investigationexhibits at least one or more characteristics and behaviors associatedwith malicious code.
 25. The computer program of claim 22, whereindetermining whether the executable code under investigation is maliciouscode includes scoring the execution of the detection routines as afunction of the weights.
 26. The computer program of claim 25, whereinscoring includes using of a scoring algorithm configured to identifyexecutable code as malicious code in response to at least one of a validscore and a malicious code score.
 27. The computer program of claim 26,wherein the scoring algorithm determines a valid program by a summationof weights of the valid program detection routines being greater than avalid program weight threshold, and a malicious code by a summation ofweights of the malicious code detection routine having a summed valuegreater than a malicious code weight threshold.
 28. The computer programof claim 27, wherein the scoring algorithm further determines ananomalous executable code under investigation by the summation ofweights of the valid program detection routines and the summation ofweights of the malicious code detection routines both having sumsgreater than respective thresholds, or less than the respectivethresholds.
 29. The computer program of claim 22, further comprisinginstructions processable by the information handling system for causingthe information handling system to: operatively couple the detectionroutines to an operating system kernel of the information handlingsystem via application programming interfaces (APIs).
 30. The computerprogram of claim 22, wherein the detection routines are furtherconfigured to access process behavior data of executable code underinvestigation running on the information handling system.
 31. Thecomputer program of claim 22, wherein the characteristics and behaviorsinclude at least one selected from the group consisting of loggingkeystrokes, saving a display screen view, uploading files, downloadingfiles, running programs, and controlling the display screen.
 32. Thecomputer program of claim 22, wherein the detection routines accessinformation about the executable code under investigation running on theinformation handling system from an operating system of the informationhandling system via Application Programming Interfaces (APIs), and thedetection routines further gather information from executable code or aprogram itself by examining a binary image of the executable code orprogram, the characteristics and behavior of the executable code orprogram, and any other related code or programs used by the executablecode under investigation.
 33. The computer program of claim 22,comprising instructions processable by the information handling systemfor further causing the information handling system to: delivermalicious code detection code (MCDC) containing detection routines tothe information handling system in a small compact code module via oneselected from the group consisting of a computer network, Internet,intranet, extranet, modem line, and prepackaged computer readablestorage media.
 34. The computer program of claim 22, wherein executionof the MCDC occurs in response to one selected from the group consistingof a random initiation, an event driven initiation, and a periodicinitiation.
 35. An information handling system comprising: a memory; aprocessor; an operating system; and computer-readable code stored onsaid memory and processable by said processor for detecting maliciouscode in the form of a Trojan horse, said computer-readable codeincluding instructions for causing the processor to execute maliciouscode detection code (MCDC) on the information handling system, the MCDCincluding detection routines configured to gather information aboutexecutable code under investigation running on the information handlingsystem during execution of the MCDC, the detection routines including atleast one selected from the group consisting of a) examining eachexecutable code or program itself and b) searching for information abouteach executable code or program in said operating system, the detectionroutines further consisting of valid program detection routines andmalicious code detection routines, apply the detection routines to theexecutable code under investigation running on the information handlingsystem, the detection routines further configured to assign weights torespective executable code under investigation in response to detectionsof a valid program or malicious code as a function of a respectivedetection routine, and determine whether executable code underinvestigation is a valid program or malicious code as a function of theweights associated by the detection routines, wherein determiningwhether the code under investigation is a valid program or maliciouscode includes scoring an execution of the detection routines as afunction of the weights, and wherein scoring further includesconfiguring a scoring algorithm to identify executable code underinvestigation as malicious code in response to at least one of a validscore and a malicious code score.
 36. An information handling systemcomprising: a memory; a processor; an operating system; andcomputer-readable code stored on said memory and processable by saidprocessor for detecting malicious code on said information handlingsystem, said computer-readable code including instructions for causingthe processor to execute detection routines, the detection routinesconfigured to examine at least one selected from the group consisting ofcharacteristics and behaviors of programs running on said informationhandling system, assign weights as a function of the examinedcharacteristics and behaviors, the assigned weights indicative of avalid program or malicious code as a function of respective detectionroutines, and determine whether executable code under investigation ismalicious code as a function of the weights assigned by the detectionroutines.
 37. The information handling system of claim 36, wherein thedetection routines include valid program detection routines andmalicious code detection routines.
 38. The information handling systemof claim 36, wherein the valid program detection routines are configuredto determine whether the executable code under investigation exhibits atleast one or more characteristics and behaviors associated with a validprogram; and wherein the malicious code detection routines areconfigured to determine whether the executable code under investigationexhibits at least one or more characteristics and behaviors associatedwith malicious code.
 39. The information handling system of claim 36,wherein determining whether the executable code under investigation ismalicious code includes scoring the execution of the detection routinesas a function of the weights.
 40. The information handling system ofclaim 39, wherein scoring includes using of a scoring algorithmconfigured to identify executable code as malicious code in response toa valid score and a malicious code score.
 41. The information handlingsystem of claim 40, wherein the scoring algorithm determines a validprogram by a summation of weights of the valid program detectionroutines being greater than a valid program weight threshold, and amalicious code by a summation of weights of the malicious code detectionroutine having a summed value greater than a malicious code weightthreshold.
 42. The information handling system of claim 41, wherein thescoring algorithm further determines an anomalous executable code underinvestigation by the summation of weights of the valid program detectionroutines and the summation of weights of the malicious code detectionroutines both having sums greater than respective thresholds, or lessthan the respective thresholds.
 43. The information handling system ofclaim 36, wherein the characteristics and behaviors include at least oneselected from the group consisting of logging keystrokes, saving adisplay screen view, uploading files, downloading files, runningprograms, and controlling the display screen.
 44. The informationhandling system of claim 36, wherein the detection routines accessinformation about the executable code under investigation running on theinformation handling system from said operating system of theinformation handling system via Application Programming Interfaces(APIs), and the detection routines further gather information fromexecutable code or a program itself by examining a binary image of theexecutable code or program, the characteristics and behavior of theexecutable code or program, and any other related code or programs usedby the executable code under investigation.
 45. The information handlingsystem of claim 36, wherein said computer-readable code further includesinstructions for delivering the MCDC containing detection routines tosaid information handling system in a small compact code module via oneselected from the group consisting of a computer network, Internet,intranet, extranet, modem line, and prepackaged computer readablestorage media.
 46. The information handling system of claim 36, whereinexecution of the MCDC occurs in response to one selected from the groupconsisting of a random initiation, an event driven initiation, and aperiodic initiation.
 47. A method for detecting malicious code on aninformation handling system, comprising: executing malicious codedetection code (MCDC) on the information handling system, the MCDCincluding detection routines; applying the detection routines to codeunder investigation running on the information handling system duringthe execution of the MCDC, the detection routines being configured toassociate weights to respective code under investigation in response todetections of malicious code as a function of respective detectionroutines; and determining whether code under investigation is maliciouscode as a function of the weights associated by the detection routines.48. The method of claim 47, wherein the malicious code comprises aTrojan horse.
 49. The method of claim 47, wherein the informationhandling system includes an operating system, further comprising:configuring the detection routines to gather information about the codeunder investigation by examining each code or program itself and bysearching for information about each respective code or program in theoperating system.
 50. The method of claim 47, wherein determiningwhether the code under investigation is malicious code includes scoringthe execution of the detection routines as a function of the weights,further wherein scoring includes configuring a scoring algorithm toidentify a code or program as malicious code in response to a maliciouscode score.